2

I'm working on the LDAP overlay of MitreID Connect project and everthing is working greatly:

  1. Authentication
  2. Retrieving attributes from LDAP Directory

The problem I have now, is how to retrieve operational attributes in LDAP directory.

I'm not good with Spring development, but I found some documentation which treat this sub, but I'm not able to make it work.

Here's what I found:

Retrieving operational attributes

Ldap Server maintains many operational attributes internally. Example entryUUID is an operational attribute assigns the Universally Unique Identifier (UUID) to the entry. The createTimestamp, modifyTimestamp are also operational attributes assigned to the entry on create or update. These operational attributes does not belong to an object class and hence they were not returned as part of your search or lookup. You need to explicitly request them by their name in your search or build the custom AttributeMapper implementation with matching attribute names. Now let’s try to retrieve the entryUUID, first you need to build the search controls like this,

SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningObjFlag(false);
controls.setReturningAttributes(new String[]{"entryUUID"});
Once you have search control then it’s simply calling search method just like retrieving any other attributes.


ldapTemplate.search("baseName", "(objectclass=person)", controls, new AttributesMapper() {
public Object mapFromAttributes(Attributes attrs) throws NamingException {
Attribute attrUuid = attrs.get("entryUUID");
return attrUuid;
}});

Here is another way to do the same using ContextMapper,

ldapTemplate.search("baseName","(objectclass=person)", 1, new String[]{"entryUUID"},
new ContextMapper(){
public Object mapFromContext(Object ctx) {
DirContextAdapter context = (DirContextAdapter)ctx;
return context.getStringAttributes("entryUUID");
}
});

Let’s add the filter based off of operational attributes like below,

OrFilter orFilter = new OrFilter();
orFilter.or(new GreaterThanOrEqualsFilter("createTimestamp", "YYYYMMDDHHMMSSZ"));
orFilter.or(new LessThanOrEqualsFilter("modifyTimestamp", "YYYYMMDDHHMMSSZ"));

Now call the above search with the filter

ldapTemplate.search("baseName", orFilter.encode(), controls, new AttributesMapper() {
public Object mapFromAttributes(Attributes attrs) throws NamingException {
Attribute attrUuid = attrs.get("entryUUID");
return attrUuid;
}});
oguz ismail
  • 1
  • 16
  • 47
  • 69
isedrof
  • 33
  • 1
  • 9
  • are you sure that the operational attribute 'entryUUID' is provided by the LDAP Directory Server you are using? You may first use ldapsearch CLI tool to retrieve all operational attributes by specifying '?' as return attribute objectclass=person filter will most likely retrieve all entries in the Dire ctory Server .... this should not be used in general. This is not that nice for a Directory Server, at least you should use a paged result control if possible. You may first use a search with a specific filter, like 'uid=XYZ' – Bernhard Thalmayr Feb 21 '17 at 20:51
  • Then you could do the same with public List search(String base, String filter, int searchScope, String[] attrs, AttributesMapper mapper) leveraging org.springframework.ldap.core.support.DefaultIncrementalAttributesMapper – Bernhard Thalmayr Feb 21 '17 at 20:51
  • Sorry, had a blackout yesterday evening, to return all operational attributes you need to specify '+' as return attribute – Bernhard Thalmayr Feb 22 '17 at 07:04
  • i'm able to do it by addind this : SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); controls.setReturningObjFlag(true); controls.setReturningAttributes(new String[]{"uid","mail","telephoneNumber","displayName","memberOf","entryUUID"}); – isedrof Feb 22 '17 at 14:15
  • @BernhardThalmayr thanks for answers – isedrof Feb 22 '17 at 14:20

0 Answers0